Netgate has released pfSense Plus 25.11.1, a critical maintenance update that addresses over 26 fixes and improvements to the world’s leading open-source firewall and routing platform. Released on January 27, 2026, this update builds upon the foundation laid by version 25.11 and introduces essential security patches, stability enhancements, and hardware-specific improvements that network administrators need to know about.
pfSense Plus 25.11.1 represents a focused maintenance release addressing critical issues discovered in version 25.11. Key highlights include fixes for IPv6 connectivity problems with TSO enabled, security patches for the rtsold vulnerability, hardware improvements for the Netgate 2100, and updated TLS certificate lifetime recommendations to align with evolving industry standards.
Critical Security Updates
rtsold Remote Command Execution Vulnerability Fixed
One of the most significant security improvements in this release addresses FreeBSD Security Advisory FreeBSD-SA-25:12.rtsold, which identified a remote command execution vulnerability in the rtsold daemon. This vulnerability could potentially allow attackers to execute arbitrary commands through specially crafted DNSSL router advertisement messages.
The vulnerability affects systems using IPv6 router advertisements and could be exploited by an attacker on the local network. pfSense Plus 25.11.1 includes upstream patches that completely resolve this security issue. Users running earlier versions who cannot immediately upgrade can apply patches through the System Patches Package for versions 25.11, 25.07.1, and CE 2.8.1.
Network Connectivity and Performance Fixes
IPv6 Connection Failures with TSO Resolved
Version 25.11 introduced a significant issue affecting users who had enabled TCP Segmentation Offload (TSO) with IPv6 connections. The problem manifested when the packet filter received packets exceeding the interface MTU that couldn’t be fragmented, causing connection termination for traffic originating from the firewall itself.This primarily affected communication with Netgate’s update servers over IPv6, preventing users from receiving packages and updates. Version 25.11.1 includes upstream kernel patches that completely resolve this issue.Workaround for 25.11 Users: If you’re running version 25.11 with TSO enabled and experiencing connectivity issues, you must temporarily revert TSO to its default disabled state before attempting the upgrade. Navigate to System > Advanced > Networking tab and check “Disable hardware TCP segmentation offload.”
TLS Certificate Security Enhancements
pfSense Plus 25.11.1 implements stricter TLS certificate requirements aligned with CA/Browser Forum baseline requirements. The release reduces the recommended maximum server certificate lifetime from 398 days to 200 days, preparing administrators for upcoming industry-wide changes scheduled for March 15, 2026.
The updated OpenSSL version removes support for weak certificate properties, including certificates with key lengths under 2048 bits. Services configured with legacy weak certificates may fail to start after upgrading, displaying errors such as “key too small.”
Administrator Action Required: Before upgrading, navigate to System > Certificates and use the Renew/Reissue function to validate all server certificates against strict security standards. Administrators should check the “Certificate Properties vs Strict Security” table and renew any certificates showing changes in the “Would Change” column.
Hardware-Specific Improvements
Netgate 2100 LAN Port Signal Transmission Fix
Netgate 2100 users experiencing intermittent connectivity issues will benefit from updated LAN port link parameters. The previous firmware contained a signal transmission issue that prevented packets with specific byte patterns from being transmitted through the LAN port.
This hardware-specific fix only affects the Netgate 2100 model and addresses a subtle but potentially disruptive issue that could cause unpredictable network behavior. The update modifies low-level driver parameters to ensure reliable packet transmission across all data patterns.
Conclusion
pfSense Plus 25.11.1 represents a mature, production-ready release that addresses critical security vulnerabilities and stability issues. The focus on security hardening through updated certificate requirements and the rtsold vulnerability fix demonstrates Netgate’s commitment to maintaining pfSense Plus as a secure networking platform.
Changelog Summary
Version: 25.11.1
Release Date: January 27, 2026
Type: Maintenance Release
Fixes: 26+ improvements and fixesSecurity Level: Critical (includes CVE-related patches)
Upgrade Priority: High (especially for IPv6 deployments and Netgate 2100 users).
Support and ResourcesOfficial DocumentationComplete Release NotesUpgrade GuideTroubleshooting UpgradesCommunity ResourcesNetgate Forum: Community support and discussionsReddit r/PFSENSE: Community tips and troubleshootingOfficial Blog: Release announcements and technical articles
Support and ResourcesOfficial DocumentationComplete Release NotesUpgrade GuideTroubleshooting UpgradesCommunity ResourcesNetgate Forum: Community support and discussionsReddit r/PFSENSE: Community tips and troubleshootingOfficial Blog: Release announcements and technical articlesProfessional SupportNetgate offers several support tiers:TAC Lite: Included with Netgate appliancesTAC Pro: 24/7/365 priority supportTAC Enterprise: Dedicated support with guaranteed response timesProfessional Services: Custom implementations and consulting
- Design